From 14c1d02a12f1542af33f2a9cc5d8ac6eb6cad962 Mon Sep 17 00:00:00 2001
From: FailSafe Research Team
 <190101117+failsafesecurity@users.noreply.github.com>
Date: Wed, 22 Apr 2026 14:54:10 +0800
Subject: [PATCH] fix(security): captcha bypass via predictable test account
 patterns

---
 packages/modal/src/ui/containers/Login/Login.tsx | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/packages/modal/src/ui/containers/Login/Login.tsx b/packages/modal/src/ui/containers/Login/Login.tsx
index 4111509ab..b8ce37c79 100644
--- a/packages/modal/src/ui/containers/Login/Login.tsx
+++ b/packages/modal/src/ui/containers/Login/Login.tsx
@@ -185,7 +185,9 @@ function Login(props: LoginProps) {
       });
 
       let token: string | undefined = undefined;
-      if (!isTestAccountPattern(authConnection, loginHint)) {
+      const isDev = process.env.NODE_ENV !== "production";
+      const requiresCaptcha = !(isDev && isTestAccountPattern(authConnection, loginHint));
+      if (requiresCaptcha) {
         const res = await captchaRef.current?.execute({ async: true });
         if (!res) {
           throw WalletLoginError.connectionError("Captcha token is required");
@@ -660,4 +662,4 @@ function Login(props: LoginProps) {
   );
 }
 
-export default Login;
+export default Login;
\ No newline at end of file